| Bug ID | 1174504 |
|---|---|
| Summary | AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.1 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | Andreas.Stieger@gmx.de |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are enabled via sysctl ping_group_range (net.ipv4.ping_group_range /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well) and are supported since 3.0 and 3.11 for IPv6. https://github.com/torvalds/linux/commit/c319b4d76b9e583a5d88d6bf190e079c4e43213d#diff-5b536a7a92abed603bbb4caa61613270R57 This would remove the need for RAW socket access while allowing users to do the same thing they can do now. iputils: /usr/bin/ping = cap_net_raw+p /usr/bin/ping6 -> /usr/bin/ping https://github.com/openSUSE/permissions/blob/master/profiles/permissions.secure#L141-L142 fping: /usr/sbin/fping = cap_net_raw+ep https://github.com/openSUSE/permissions/blob/master/profiles/permissions.secure#L341-L343 Last touched via bug 1047921 AUDIT-0: fping: possibly allow users to run non-disruptive options User-mode traceroute -I would start working. If reviewed okay, ship the sysctl preset to allow interactive users by default, and update iputils and fping to remove the capability (and others). iputils has had this support for a while, fping since 4.3.